b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                        Additional Security Is Needed for\n                       Access to the Registered User Portal\n\n\n\n                                          March 31, 2010\n\n                              Reference Number: 2010-20-027\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Redaction Legend:\n 1 = Tax Return/Return Information\n 2(f) = Risk Circumvention of Agency Regulation or Statute\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                    DEPARTMENT OF THE TREASURY\n                                                          WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                    March 31, 2010\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n                COMMISSIONER, WAGE AND INVESTMENT DIVISION\n\n FROM:                            Michael R. Phillips\n                                  Deputy Inspector General for Audit\n\n SUBJECT:                         Final Audit Report \xe2\x80\x93 Additional Security Is Needed for Access to the\n                                  Registered User Portal (Audit # 200920014)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) established effective access and audit trail controls for the Registered User Portal (RUP),\n which allows access to the IRS\xe2\x80\x99 e-Services 1 suite of applications, to protect taxpayer data from\n unauthorized disclosure. This audit was included in the Treasury Inspector General for Tax\n Administration\xe2\x80\x99s Fiscal Year 2009 Annual Audit Plan and was part of our statutory requirement\n to annually review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n The use of the Internet is an integral part of the IRS\xe2\x80\x99 mission to deliver top quality service to all\n taxpayers. The IRS developed the RUP to help accomplish this mission. The RUP serves as the\n entry point for web access to e-Services applications and provides outside tax professionals with\n the ability to submit and retrieve tax-related information and electronically file (e-file) tax\n returns. Because these external users can access taxpayer data, modify electronic tax returns\n prior to transmitting them to the IRS, and download taxpayer data to their computers, access\n controls at the RUP are critical to minimize the risk of unauthorized access to taxpayers\xe2\x80\x99\n personal tax data.\n\n\n\n\n 1\n     See Appendix IV for a list of e-Services products.\n\x0c                                          Additional Security Is Needed for\n                                        Access to the Registered User Portal\n\n\n\n\nSynopsis\nThe RUP and e-Services applications allow the IRS to become more efficient and make tax filing\neasier. During the 2008 Filing Season, 2 58 percent of all tax returns, nearly 90 million of the\n155 million tax returns filed, were received electronically. However, the RUP and e-Services\napplications also pose risks to the security of taxpayers\xe2\x80\x99 personal data. To mitigate the risks, the\nIRS implemented several access controls. For example, the RUP automatically disables a user\naccount after three unsuccessful logon attempts, passwords are masked to prevent the passwords\nfrom being viewed when typed, and the RUP displays a banner to warn persons attempting to\ngain access that illegal attempts to log on to the system could lead to criminal prosecution.\nAlthough some access controls are in place, several other required controls were not\nimplemented.\n      \xe2\x80\xa2    Suitability checks are not performed on all users who e-file tax returns and access\n           taxpayer data. The IRS allows principals and responsible officials at tax preparation\n           firms to delegate their access rights to other individuals. These \xe2\x80\x9cdelegates\xe2\x80\x9d may be\n           members of the firm or persons with whom the firm has a business relationship and do\n           not undergo a suitability check. A principal or responsible official also has the ability to\n           delegate a \xe2\x80\x9cPrincipal Consent\xe2\x80\x9d right that allows the delegated user to propagate his or her\n           access rights to other individuals.\n      \xe2\x80\xa2    The IRS did not always follow its procedures for approving e-file applicants who failed\n           the criminal background part of their suitability check. *****1*******************\n           *******1************************************************** 3 ***1*******\n           *******1**************************************************************\n           *******1**************************************************************\n           *******1*************************************. IRS procedures do not specify\n           which IRS office has the final authority to approve or disapprove an e-file applicant\xe2\x80\x99s\n           request to participate in the e-file program when an applicant fails his or her criminal\n           background check.\n      \xe2\x80\xa2    Limitations in the Third Party Data Store, which is used to record and monitor\n           information about individuals who have applied to participate in the e-file program,\n           prevent this system from posting the complete results of the systemic tax compliance\n           check that is performed on an applicant\xe2\x80\x99s spouse. Therefore, the spouse\xe2\x80\x99s tax compliance\n           check is performed manually, which is inefficient and increases the risk of human error.\n      \xe2\x80\xa2    The RUP was not configured to disable and remove users\xe2\x80\x99 access accounts in accordance\n           with IRS security policies and procedures. Systems are required to disable inactive\n\n2\n    The period from January through mid-April when most individual income tax returns are filed.\n3\n    The IRS e-file program allows individuals to submit tax form data over the Internet.\n                                                                                                      2\n\x0c                                      Additional Security Is Needed for\n                                    Access to the Registered User Portal\n\n\n\n\n        accounts after 45 days and remove the accounts after 60 days. 4 Inactive accounts\n        unnecessarily increase the opportunity for malicious individuals to gain access to\n        taxpayer data through an unused account. Rather than implement the control to disable\n        inactive accounts after 45 days, the IRS set the control to 720 days. In addition, the IRS\n        did not implement a control to remove inactive accounts. The controls were not\n        established because the IRS wanted to accommodate the users, many of whom have only\n        a seasonal need to use the RUP.\n    \xe2\x80\xa2   Required password controls were not implemented, and some individuals were using\n        their Social Security Number as their username. The Office of Management and Budget 5\n        advised agencies in May 2007 to avoid or reduce the use of Social Security Numbers as\n        personal identifiers.\n    \xe2\x80\xa2   The IRS did not implement the control to **********2**************************\n        ******2**************** and does not analyze the RUP audit logs to detect unlawful\n        or unauthorized activities.\n\nRecommendations\nTo ensure taxpayer data are safeguarded, we recommended the Director, Electronic Tax\nAdministration and Refundable Credits, Wage and Investment Division, 1) require suitability\nchecks on delegated users who e-file tax returns or access the e-Services incentive products and\ndisable the principal consent feature; 2) revise the appeal procedures for e-file applicants who fail\ntheir suitability check to specify that the Fraud Detection Center has the final approval authority;\n3) disable and delete inactive RUP accounts in accordance with IRS procedures or follow the\nIRS risk-based decision procedures to obtain the required thorough assessment, recommendation,\nand approval to not implement the required security controls; 4) request the Chief Technology\nOfficer enhance the RUP to require passwords to contain a mix of lower case and upper case\nletters, set the password length to 12 characters, and prevent the use of Social Security Numbers\nas usernames and obtain the required thorough assessment, recommendation, and approval to\ndeviate from the IRS password expiration and history requirements; and 5) request the Chief\nTechnology Officer implement a control to allow users to answer a series of challenge questions\nto unlock their accounts.\nWe also recommended the Chief Technology Officer enhance the e-file application on the Third\nParty Data Store to post the complete results of the tax compliance check that is performed for an\n\n\n\n4\n During our fieldwork, the IRS changed its requirement for removing inactive accounts to 180 days.\n5\n Office of Management and Budget memorandum Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information (M-07-16, dated May 22, 2007).\n                                                                                                     3\n\x0c                                   Additional Security Is Needed for\n                                 Access to the Registered User Portal\n\n\n\n\napplicant\xe2\x80\x99s spouse and instruct the Cybersecurity office to develop a process to analyze the\nactivities of RUP users and begin reviewing the audit logs.\n\nResponse\nIRS management agreed to 1) perform suitability checks on delegated users who e-file tax\nreturns or access the e-Services incentive products; 2) strengthen the procedures for evaluating\ne-file applicants who fail their suitability check and establish an Executive Review Board to\nformally consider deviations from the Criminal Investigation Division\xe2\x80\x99s recommendations;\n3) request the Modernization and Information Technology Services organization enhance the\nThird Party Data Store to post the entire results from the Automated Suitability Analysis\nProgram; 4) complete a full risk-based decision process and execute a revised risk-based\ndecision memorandum that complies with the Modernization and Information Technology\nServices organization\xe2\x80\x99s standards; 5) prevent the use of Social Security Numbers as usernames,\nrequire passwords to contain a mixture of uppercase and lowercase letters, and work with the\nModernization and Information Technology Services organization\xe2\x80\x99s Cybersecurity office to\nobtain the requisite thorough assessment, recommendation, and approval to deviate from the\nIRS\xe2\x80\x99 password expiration requirement; and 6) request the Modernization and Information\nTechnology Services organization make programming changes to the RUP to allow users to\nanswer a series of challenge questions to unlock their accounts. The IRS also stated that the\nRUP audit logs are now being reviewed to detect unauthorized activities.\nIn addition, the IRS stated it does not believe the final authority for approvals of applicants with\ncriminal records should rest solely with the Criminal Investigation Division, and it revised its\nprocedures, as of July 31, 2009, to lower the minimum password length to eight characters for all\nsystems except the Windows operating system.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n\nOffice of Audit Comment\nWe concur with the IRS decision to establish an Executive Review Board to formally consider\ndeviations from the Criminal Investigation Division\xe2\x80\x99s recommendations. The IRS stated the new\nboard will include members from the Office of Professional Responsibility along with\nrepresentatives from other IRS business operating divisions. Members from outside of the Wage\nand Investment Division should ensure an impartial suitability decision process. Regarding the\nIRS disagreement with our recommendation to set the password length to 12 characters, we\nconfirmed the IRS lowered its password complexity requirements to require only 8 characters for\nall non-Windows operating systems. Therefore, we concur with the IRS decision to not set the\npassword length to 12 characters.\n\n\n                                                                                                   4\n\x0c                                Additional Security Is Needed for\n                              Access to the Registered User Portal\n\n\n\n\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\nAssistant Inspector General for Audit (Security and Information Technology Services), at\n(202) 622-5894.\n\n\n\n\n                                                                                             5\n\x0c                                              Additional Security Is Needed for\n                                            Access to the Registered User Portal\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          Some Access Controls for the Registered User Portal\n          and E-Services Applications Were Implemented but\n          Improvements Are Needed ...........................................................................Page 4\n                    Recommendations 1 and 2: ..............................................Page 11\n\n                    Recommendations 3 through 5:.........................................Page 12\n\n                    Recommendation 6:........................................................Page 13\n\n          Audit Logs for the Registered User Portal Are Not Reviewed.....................Page 13\n                    Recommendation 7:........................................................Page 15\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 19\n          Appendix IV \xe2\x80\x93 List of Internal Revenue Service\n          E-Services Products ......................................................................................Page 20\n          Appendix V - Management\xe2\x80\x99s Response to the Draft Report ........................Page 22\n\x0c              Additional Security Is Needed for\n            Access to the Registered User Portal\n\n\n\n\n                Abbreviations\n\nDAA      Designated Approving Authority\ne-file   Electronically file; electronic filing\nETARC    Electronic Tax Administration and Refundable Credits\nFDC      Fraud Detection Center\nIRS      Internal Revenue Service\nMITS     Modernization and Information Technology Services\nRUP      Registered User Portal\nTIN      Taxpayer Identification Number\n\x0c                                         Additional Security Is Needed for\n                                       Access to the Registered User Portal\n\n\n\n\n                                             Background\n\nThe use of the Internet is an integral part of the Internal Revenue Service\xe2\x80\x99s (IRS) mission to\ndeliver top quality service to all taxpayers. The need to use the Internet is partly driven by the\nIRS Restructuring and Reform Act of 1998, 1 which required the IRS to become more efficient,\nmake tax filing easier, and receive 80 percent of all tax returns electronically by 2007.\nTo help accomplish this mission, the IRS developed the\nRegistered User Portal (RUP) and e-Services suite of\napplications. The RUP serves as the entry point for web        The RUP and e-Services allow tax\naccess to e-Services applications. The e-Services was           professionals to use the Internet\none of the first business systems modernization projects         to e-file tax returns and submit\n                                                                     and retrieve tax-related\ninitiated by the IRS and includes a suite of web-based                      information.\nproducts that allow tax professionals to submit and\n           2\n\nretrieve tax-related information and electronically file\n(e-file) tax returns. Tax professionals that e-file at least\nfive tax returns per year are also granted access to e-Services incentive products that allow tax\nprofessionals to electronically submit a Power of Attorney document to the IRS, send and\nreceive inquiries about individual or business account problems, and download taxpayers\xe2\x80\x99\npersonal tax data to computers outside of the IRS.\nDuring the 2008 Filing Season, 3 58 percent of all tax returns, nearly 90 million of the 155 million\ntax returns filed, were received electronically. Along with the increased efficiency and other\nbenefits, the RUP and e-Services present security risks. Taxpayers entrust the IRS with their\nsensitive financial and personal data and expect the IRS to protect these data from unauthorized\ndisclosure and identity theft.\nA previous review 4 conducted by the Treasury Inspector General for Tax Administration on tax\npreparers identified fraudulent activity within the tax preparer environment, which increases our\nconcern of the security risks affecting the RUP and e-Services. We reported that the IRS was not\naware of 160 tax preparers who had been assessed tax penalties, were permanently enjoined by a\nFederal Court, or had been sentenced for abusive tax shelter activities that caused loss to the\nFederal Government of approximately $34.9 million. These preparers were still eligible to\n\n\n1\n  Pub. L. 105-206, 122 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app., 16 U.S.C.,\n19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n2\n  See Appendix IV for a list of e-Services products.\n3\n  The period from January through mid-April when most individual income tax returns are filed.\n4\n  Tax Practitioners Promoting Abusive Tax Shelters Are Still Able to Represent Taxpayers Before the Internal\nRevenue Service (Reference Number 2009-10-039, dated February 20, 2009).\n                                                                                                             Page 1\n\x0c                                   Additional Security Is Needed for\n                                 Access to the Registered User Portal\n\n\n\nrepresent 9,766 taxpayers before the IRS. In addition, the Treasury Inspector General for Tax\nAdministration Office of Investigations has investigated numerous ongoing fraudulent activities\nin the tax preparation industry. Examples include preparers who overstate their qualifications,\nsteal clients\xe2\x80\x99 tax payments or tax refunds, impersonate IRS employees, and misuse the IRS seal\nor logo. The IRS is especially vulnerable since it does not know how many paid preparers exist\nand cannot determine the full extent of noncompliance among preparers.\nThe IRS uses access controls to protect taxpayers\xe2\x80\x99 data processed through the RUP. Access\ncontrols include authentication, authorization, and accountability. Authentication includes\ndetermining who can log on to a system. Authorization determines what a user can do after they\nare authenticated, and accountability identifies what a user did when they were on the system.\nPoor access controls could result in intruders gaining unauthorized access to taxpayer data.\nThe responsibility for managing the RUP and e-Services is shared by the Wage and Investment\nDivision and Modernization and Information Technology Services (MITS) organization.\n   \xe2\x80\xa2   The Wage and Investment Division\xe2\x80\x99s Electronic Tax Administration and Refundable\n       Credits (ETARC) office sets the policies for the RUP and manages the relationships with\n       key internal and external stakeholders as well as industry partners to increase the IRS\xe2\x80\x99\n       electronic interaction with the public.\n   \xe2\x80\xa2   The Wage and Investment Division Electronic Products and Services Support function\n       provides program management for e-Services, including the e-help desk.\n   \xe2\x80\xa2   The MITS organization\xe2\x80\x99s Portal Program Management office provides program direction,\n       oversight, and central control of the IRS portal environment, including oversight of the\n       contractor that manages the RUP components located in Chicago, Illinois, and\n       Sterling, Virginia.\n   \xe2\x80\xa2   The MITS organization\xe2\x80\x99s Cybersecurity office administers the Enterprise Directory and\n       Authentication Services, which provides identification and authorization for registered\n       users on the RUP.\nAll tax professionals who use the e-Services products must register by logging on to the RUP\nand creating an electronic account. The registration process is a one-time automated process\nwhere the user selects a username, password, and personal identification number.\nThis review was performed at the Wage and Investment Division\xe2\x80\x99s ETARC office in\nWashington, D.C.; the Electronic Products and Services Support function in\nAndover, Massachusetts; the MITS organization\xe2\x80\x99s Portal Program Management office and\nEnterprise Operations office in New Carrollton, Maryland; and the Cybersecurity office in\nMartinsburg, West Virginia. We performed the review during the period April through\nOctober 2009 and conducted our work in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\n                                                                                           Page 2\n\x0c                                  Additional Security Is Needed for\n                                Access to the Registered User Portal\n\n\n\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                          Page 3\n\x0c                                   Additional Security Is Needed for\n                                 Access to the Registered User Portal\n\n\n\n\n                                 Results of Review\n\nSome Access Controls for the Registered User Portal and E-Services\nApplications Were Implemented but Improvements Are Needed\nThe IRS has established some of the access controls that are necessary to protect taxpayer data\nprocessed by the RUP and e-Services. Specifically:\n   \xe2\x80\xa2   Individuals, businesses, and organizations are required to register on the e-Services web\n       site. The information gathered during this registration process is used to confirm the\n       user\xe2\x80\x99s identity.\n   \xe2\x80\xa2   Users are automatically locked out after three unsuccessful logon attempts. This control\n       prevents hackers from forcing their way into the system by repeatedly trying to guess a\n       user\xe2\x80\x99s password.\n   \xe2\x80\xa2   Passwords are masked when typed to strengthen security over passwords.\n   \xe2\x80\xa2   E-Service applications display a warning banner to advise all persons attempting to gain\n       access that the system and its information are for authorized users only and attempts to\n       illegally log on to the system could lead to criminal prosecution.\n   \xe2\x80\xa2   No group, temporary, or emergency accounts on the RUP identification and authorization\n       servers existed. Avoiding these accounts is important because they offer unauthorized\n       users additional opportunities to access and exploit the system.\nAlthough the IRS has implemented some of the required security controls, additional controls are\nneeded to protect taxpayer information.\n\nSuitability checks were not performed on all users who e-file tax returns and\naccess taxpayer data\nThe IRS performs a suitability check when a principal or responsible official of a tax firm applies\nto file tax returns electronically. The suitability check was originally implemented because\nelectronic filing firms could change tax return data after the taxpayer signed the return but before\ntransmitting the return to the IRS. The ability to alter tax return data without the taxpayer\xe2\x80\x99s\nknowledge increased the risk of fraud for electronic filing firms as opposed to paper tax return\npreparers. Therefore, the IRS designed the suitability check to screen and monitor e-file\napplicants to ensure they meet and maintain the highest ethical standards.\nThe suitability check includes a tax compliance check, a check for prior noncompliance with\ne-file requirements, and a criminal background check. The criminal background check is\n                                                                                             Page 4\n\x0c                                        Additional Security Is Needed for\n                                      Access to the Registered User Portal\n\n\n\nperformed on a sample 5 of the applicants. The need to perform these suitability checks increased\nafter the IRS developed the three e-Services incentive products. A tax professional automatically\ngains access to these incentive products after filing five returns electronically. Despite these\nrisks, the IRS does not perform suitability checks on all users with the ability to e-file tax returns\nand access the e-Services incentive products.\nThe IRS allows principals and responsible officials to delegate their access rights to employees,\npartners, members of the firm, or any person with a business relationship with the firm. These\n\xe2\x80\x9cdelegated\xe2\x80\x9d users are not required to undergo a suitability check. In addition, a principal or\nresponsible official can assign a special \xe2\x80\x9cPrincipal Consent\xe2\x80\x9d privilege to a delegated user which\nallows the delegated user to propagate his or her privileges to other individuals. We found that\nthe IRS had 9,988 delegated users with the ability to e-file income tax returns and approximately\n6,500 of these users also had access to the e-Services incentive products.\nThe IRS made a decision to allow principals and responsible officials to assume the risks of\ndelegating their access rights to other individuals and believes the risks are mitigated by\nrequiring principals and responsible officials to file a Power of Attorney 6 with the IRS.\nHowever, taxpayers expect the IRS to protect their personal data, and we believe the Power of\nAttorney document does not provide the same assurance as the suitability check.\nFurther, since a delegated user does not need to be an employee or member of the firm, any\nindividual can become a delegated user. Many of the delegated users may have questionable\nbackgrounds. For example, in the sample of 111 RUP users that we evaluated, the IRS\nconducted a criminal background check on 18 users and found 6 had criminal records. A\ndelegated user could steal taxpayer data for identity theft purposes and grant access to other\nunscrupulous individuals. Reviewing an individual\xe2\x80\x99s background allows the IRS to make the\nappropriate decision on who should e-file tax returns or have access to the RUP and\ne-Services applications.\nIn July 2009, the MITRE Corporation 7 completed a review of the processes associated with the\nIRS e-file program and recommended the IRS require all e-file applicants, including delegated\nusers, undergo a suitability check. In its response, the IRS stated it would conduct an impact\nanalysis and consider performing eligibility and qualification checks on every individual within a\nfirm, rather than on the firm itself, and possibly assigning a separate Electronic Filing\n\n\n\n\n5\n  The IRS began conducting criminal background checks on most e-file applicants in June 2009.\n6\n  A Power of Attorney is a written authorization to act on someone else\xe2\x80\x99s behalf in a legal or business matter.\n7\n  The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. The MITRE\nCorporation provides expertise in systems engineering, information technology, operational concepts, and enterprise\nmodernization.\n                                                                                                           Page 5\n\x0c                                         Additional Security Is Needed for\n                                       Access to the Registered User Portal\n\n\n\nIdentification Number 8 to specific individuals. We concur with the MITRE Corporation\xe2\x80\x99s\nrecommendation and the IRS\xe2\x80\x99 proposed corrective action. Assigning a separate Electronic Filing\nIdentification Number to each individual would allow for better accountability and identification\nof persons accessing e-Services products. However, the IRS has not established a time period\nfor completing its impact analysis.\n\nProcedures for approving e-file applicants who have a criminal record were not\nalways followed\nThe criminal background check is part of the suitability check and includes collecting fingerprint\ncards and sending the cards to the Federal Bureau of Investigations. If the applicant has a\ncriminal record, the Electronic Products and Services Support function in the Andover Campus 9\nsubmits a Fraud Referral Sheet to the Criminal Investigation Division\xe2\x80\x99s Fraud Detection Center\n(FDC). The FDC reviews the case and makes a recommendation whether to allow the applicant\nto participate in the e-file program. The applicant may submit an appeal if their application is\ndenied. The FDC will review the appeal and decide whether to approve the application or\nuphold its previous recommendation. The applicant may submit a second appeal if the FDC\nupholds its previous recommendation. The second appeal must be sent directly to the Office of\nAppeals, which reviews the case and makes a\nrecommendation on whether to accept the applicant.\nIRS procedures do not specify a role for the ETARC            ***********1****************************\noffice in the appeals process.                               *****************************************\n                                                                              *****************************\nWe found the appeals procedures are not always\nfollowed. *****************1******************\n*************************1*****************************************************\n******************************************************************************\n******************************************************************************\n*******************************************************************************\n******************************************************************************\n******************************************************************************\n******************************************************************************\n******************************************************************************\n*****************.\n\n\n\n8\n  The IRS requires that participants in the e-file Program use unique numbers called Electronic Filing Identification\nNumbers to identify who transmitted electronic returns through e-file and their role on the system. The Electronic\nFiling Identification Number is a six-digit number assigned by the IRS, and one number is assigned to a business\nentity at an address.\n9\n  The data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and\nforward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                              Page 6\n\x0c                                         Additional Security Is Needed for\n                                       Access to the Registered User Portal\n\n\n\n**********************************1*****************************************\n***************************************************************************\n*****1*******. The ETARC office believes that, as the business owner of the e-file program,\nit has this authority. We believe the FDC office has more expertise in preventing fraud, and this\noffice\xe2\x80\x99s recommendation should be accepted.\nThe risk of granting unscrupulous individuals access to the RUP and e-Services significantly\nincreases when the IRS does not follow its procedures for approving users. ****1***********\n****************************1************************************************\n****************************************************************************\n\nManual suitability checks on an applicant\xe2\x80\x99s spouse should be automated\nIRS procedures require a tax compliance check on an e-file applicant and his or her spouse. For\nthis requirement, the IRS has automated the tax compliance check. The tax information is\nextracted and analyzed efficiently using the Automated Suitability Analysis Program. This\nProgram uses information from the IRS Master File 10 to determine an applicant\xe2\x80\x99s and his or her\nspouse\xe2\x80\x99s tax compliance for the last 6 years. The tax compliance information for the applicant is\nposted to the Third Party Data Store. 11 However, limitations in the Third Party Data Store\nprevent it from recording the complete results of the spouse\xe2\x80\x99s tax compliance check. As a result,\nthe IRS must perform the spouse\xe2\x80\x99s tax compliance check manually. Although the manual\nsuitability processes are thorough, the processes are labor intensive, inefficient, and increase the\nrisk of human error.\nIn our sample of 111 e-Services users, 30 users had spouses who required a manual suitability\ncheck. The employees in the Electronic Products and Services Support function must use other\nIRS computer systems to analyze the spouses\xe2\x80\x99 tax compliance data and make a pass or fail\ndecision. Since the employees do not maintain most of the documentation involved in this\nmanual tax compliance check, we could not determine whether all of the required steps were\ntaken.\nWe believe that enhancing the Third Party Data Store to post the results of a spouse\xe2\x80\x99s tax\ncompliance would reduce the risk of human error, ensure the check is completed in a more\ntimely manner, and allow the IRS to use its staff more efficiently by eliminating the current labor\nintensive process.\n\n\n\n\n10\n   The IRS database that stores various types of taxpayer account information. This database includes individual,\nbusiness, and employee plans and exempt organizations data.\n11\n   The system used to record and monitor information about individuals who have applied to participate in e-file.\n                                                                                                            Page 7\n\x0c                                       Additional Security Is Needed for\n                                     Access to the Registered User Portal\n\n\n\nInactive user accounts on the RUP were not disabled and deleted in accordance\nwith IRS security policies and procedures\nIRS security policies and procedures require inactive user access accounts to be regularly\nmonitored to ensure unneeded accounts are timely disabled and deleted. Inactive user accounts\nshould be disabled after 45 days and permanently removed after 60 days. 12 The intent is to\nreduce the opportunity for malicious individuals to gain unauthorized access with an unused\naccess account. The IRS had a total of 380,770 RUP user accounts, as of June 15, 2009, which\nconsisted of the following segments.\n     \xe2\x80\xa2   235,290 registered user accounts. These users have completed the registration process on\n         the RUP and have access to the e-Services products. We found 206,032 (88 percent) of\n         the 235,290 registered users had not accessed their account within 45 days. However, the\n         accounts were not disabled. Rather than implement the control to disable the accounts\n         after 45 days, the IRS set the control to 720 days.\n     \xe2\x80\xa2   143,420 new accounts. These users began but did not complete the registration process.\n         These users do not have access to the e-Services products but pose a risk because the\n         applicant, or an individual posing as the applicant, could take steps to complete the\n         registration process.\n     \xe2\x80\xa2   2,060 locked-out accounts. These are accounts that are locked for various reasons such\n         as inactivity.\nWe believe many of the above accounts are not needed and should be removed from the RUP\nafter a designated time period. For example, we found 86,553 (37 percent) of the registered user\naccounts had not been accessed within 720 days.\nThe IRS did not implement the inactive user account security controls because it wanted to\naccommodate the users, many of whom have only a seasonal need to use the RUP. Most\nelectronic returns are filed during the 4-month filing season, which runs from January through\nmid-April each year. The IRS did not want to require tax professionals to re-register on the RUP\neach year. However, we believe the risks associated with operating the RUP and e-Services are\nincreased when these security controls are not implemented.\nAlso, the procedures for requesting approval to deviate from these security controls were not\nfollowed. The IRS has comprehensive procedures that allow a Designated Approving Authority\n(DAA) 13 to deviate from required security controls. A risk-based decision must be completed\nand signed by the DAA to permanently omit a security control from the system. In addition, the\nDAA must complete a thorough risk assessment identifying potential threats to the system and\n\n\n12\n  During our fieldwork, the IRS changed its requirement for removing inactive accounts to 180 days.\n13\n  The Designated Approving Authority is a senior management executive with the authority to formally assume\nresponsibility for operating a system at an acceptable level of risk.\n                                                                                                       Page 8\n\x0c                                   Additional Security Is Needed for\n                                 Access to the Registered User Portal\n\n\n\nreview any supporting documentation of alternative approaches and recommendations for\nmitigation. The MITS organization\xe2\x80\x99s Cybersecurity office is required to analyze the risk-based\ndecision and supporting documents and issue a recommendation to the DAA, who has the final\nauthority to accept the risk.\nAfter we raised the lack of inactive user account security controls to the attention of the ETARC\noffice during our fieldwork, officials in this office immediately took action to obtain approval for\na permanent deviation for the 45-day inactive account requirement. However, the risk-based\ndecision procedures were not followed. A thorough assessment was not conducted by the DAA\nor the Cybersecurity office. In addition, the risk-based decision memorandum was not signed by\nthe current DAA.\nLastly, the IRS has not taken action to permanently remove inactive RUP accounts or seek\napproval to deviate from this required security control. Inactive accounts may remain on the\nRUP indefinitely or until a user requests his or her account be removed.\nWeak controls over user accounts could allow unauthorized individuals to gain access to the\naccounts and access taxpayer\xe2\x80\x99s personal information and commit fraudulent activities.\n\nPassword and username controls were not implemented\nThe IRS did not implement the required password complexity and username security controls for\nthe RUP. Specifically:\n   \xe2\x80\xa2   Passwords are not set to require a mix of lower case and upper case letters.\n   \xe2\x80\xa2   Passwords are not set to expire after 60 days as required. Users\xe2\x80\x99 passwords are set to\n       expire after 180 days.\n   \xe2\x80\xa2   Password minimum length is set to 8 characters instead of the required 12 characters.\n   \xe2\x80\xa2   Password histories are not maintained for the last 24 passwords. Currently, only the last\n       five passwords are maintained.\n   \xe2\x80\xa2   Users are allowed to use Social Security Numbers as their username. Usernames are\n       used along with a password to identify a system user.\nThe IRS did not implement the same password and username security controls that it required for\nits employees because the IRS wanted to make the RUP user friendly and accommodate the tax\npreparation firms. IRS officials informed us that too many password controls could create an\nundue burden on tax preparers during filing season, and possibly affect the timely filing of\nincome tax returns.\n\n\n\n\n                                                                                             Page 9\n\x0c                                        Additional Security Is Needed for\n                                      Access to the Registered User Portal\n\n\n\nSpecifically on the use of Social Security Numbers as usernames, the Office of Management and\nBudget 14 required Federal agencies to implement security requirements to explore alternatives to\nthe usage of Social Security Numbers as a personal identifier. Federal agencies were required to\ndevelop a plan to eliminate or reduce the unnecessary use of Social Security Numbers by\nSeptember 2007 and take actions to eliminate or reduce the use of Social Security Numbers by\nMarch 2009. In response to the Office of Management and Budget memorandum, the IRS\nprepared the Social Security Number Elimination and Reduction Implementation Plan, dated\nNovember 29, 2007, and stated it is committed to achieving compliance and ultimately reducing\nrisk by eliminating the unnecessary use of Social Security Numbers. However, the ETARC\noffice informed us that e-Services users will continue to be allowed to use their Social Security\nNumber as their username because the IRS has not developed a security policy prohibiting this\npractice.\nThe IRS should enforce its security policy and ensure user accounts are protected with strong\npasswords and usernames that cannot be easily guessed. The existence of weak passwords and\nthe ability to use Social Security Numbers as personal identifiers present security vulnerabilities\nthat could be exploited by a hacker. Usernames on e-Services are at a higher risk for disclosure,\nsince usernames are not masked. Usernames are shown in clear text when typed. In addition,\nthe IRS Helpdesk can provide any person an account username if they correctly answer two\nchallenge questions. External threats for stealing taxpayer data or sabotaging computer systems\ncan be greatly reduced with effective password and username controls.\n\nThe account lockout control was not fully implemented\nThe National Institute of Standards and Technology 15 recommends Federal agencies configure\nsystems to automatically lock out a user after three unsuccessful logon attempts. The account\nlockout duration should be permanent until an authorized system administrator unlocks the user\naccount. For the IRS, the account lockout control is one control to prevent unauthorized access\nto taxpayer information. However, this control was only partially implemented.\nThe IRS implemented the security control that automatically locks out users after three\nunsuccessful logon attempts on the e-Services. *****2*********************************\n****************************2************************************************\n******************2*********************************** Due to the large number of\nregistered users on e-Services and the increased workload it may pose on the IRS Helpdesk, **2***\n**********************************2********************************************\n********2******************.\n\n\n14\n   Office of Management and Budget memorandum Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information (M-07-16, dated May 22, 2007).\n15\n   The National Institute of Standards and Technology is a Federal technology agency within the Department of\nCommerce that develops and promotes measurement, standards, and technology.\n                                                                                                         Page 10\n\x0c                                  Additional Security Is Needed for\n                                Access to the Registered User Portal\n\n\n\nWe believe that, given enough time and potential to try multiple username and password\ncombinations, an attacker might eventually succeed in compromising the security of e-Services\nand gain access to sensitive taxpayer information.\n\nRecommendations\nRecommendation 1: To ensure taxpayer information is properly safeguarded and to\nstrengthen security for e-Services, the Director, ETARC, Wage and Investment Division, should\nrequire suitability checks on delegated users who e-file tax returns or access the e-Services\nincentive products and disable the principal consent feature on e-Services that allows a user to\npropagate his or her privileges to other users.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated it would implement suitability checks on delegated users who e-file tax returns or\n       access the e-Services incentive products, subject to available funding and the MITS\n       organization\xe2\x80\x99s resource prioritization. The IRS also stated this action would eliminate the\n       need to disable the e-Services principal consent feature.\n       Office of Audit Comment: We concur with the IRS statement that implementation of\n       suitability checks on delegated users would eliminate the need to disable the e-Services\n       principal consent feature.\nRecommendation 2: To ensure only qualified applicants who meet IRS suitability standards\nare approved for the e-file program or given access to the e-Services incentive products, the\nDirector, ETARC, Wage and Investment Division, should stop overturning the FDC\xe2\x80\x99s\nrecommendations and revise the appeal procedures for e-file applicants and other tax\nprofessionals who fail their suitability check. The procedures should specify that the Criminal\nInvestigation Division\xe2\x80\x99s FDC has the final authority to approve or disapprove an applicant with a\ncriminal record.\n       Management\xe2\x80\x99s Response: The IRS agreed that documentation of IRS final authority\n       to approve or disapprove e-file applicant appeals should be strengthened and the criteria\n       by which applicants\xe2\x80\x99 appeals are evaluated should be clarified. The IRS stated that it\n       recognized the research and recommendations of the FDC are a vital component of the\n       approval process and believes that consideration should be given to extenuating\n       circumstances, such as the nature of the offence and the length of time since the offence\n       was committed.\n       In addition, the IRS believes the final authority for approvals of applicants with criminal\n       records should not rest solely with the Criminal Investigation Division, and the IRS\n       recognizes the need to have a comprehensive review of any deviations from the Criminal\n       Investigation Division\xe2\x80\x99s recommendations. Therefore, the IRS consulted with Criminal\n       Investigation Division management and agreed that the IRS will establish a\n\n                                                                                          Page 11\n\x0c                                  Additional Security Is Needed for\n                                Access to the Registered User Portal\n\n\n\n       cross-business division Executive Review Board to formally consider deviations from the\n       Criminal Investigation Division\xe2\x80\x99s recommendations. The new board will include\n       members from the Wage and Investment Division and the Office of Professional\n       Responsibility, along with representatives from other business operating divisions.\n       Further, the IRS will update its procedures to clearly reflect the standards of review and\n       ensure a more consistent, balanced, and impartial suitability decision process.\n       Office of Audit Comment: We concur with the IRS decision to strengthen its\n       procedures for evaluating applicants with criminal records and establish an Executive\n       Review Board to formally consider any deviations from the Criminal Investigation\n       Division\xe2\x80\x99s recommendations.\nRecommendation 3: To reduce the risk of human error and the amount of time needed for\nmanually conducting a tax compliance check for an e-file applicant\xe2\x80\x99s spouse, the Chief\nTechnology Officer should enhance the e-file application on the Third Party Data Store to post\nthe complete results of the Automated Suitability Analysis Program\xe2\x80\x99s spouse tax compliance\ncheck.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Director,\n       ETARC, Wage and Investment Division, will submit a Unified Work Request to the\n       MITS organization to request programming changes to the Third Party Data Store to\n       allow posting of the complete results of the Automated Suitability Analysis Program\xe2\x80\x99s\n       spouse tax compliance check.\nRecommendation 4: To mitigate the risk of an unauthorized intruder accessing an inactive\naccess account, the Director, ETARC, Wage and Investment Division, should disable and delete\ninactive accounts in accordance with IRS procedures or follow the IRS\xe2\x80\x99 risk-based decision\nprocedures to obtain the required thorough assessment, recommendation, and approval from the\nMITS organization\xe2\x80\x99s Cybersecurity office.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and stated it\n       will work with the MITS organization\xe2\x80\x99s Cybersecurity office to complete a full\n       risk-based decision process, including the analysis and review, and will execute a revised\n       risk-based decision memorandum that complies with the MITS organization\xe2\x80\x99s standards\n       and replaces the current memorandum dated September 29, 2009.\nRecommendation 5: To make passwords more difficult to guess by unauthorized individuals\nand to decrease the use of Social Security Numbers as usernames, the Director, ETARC, Wage\nand Investment Division, should:\n   \xe2\x80\xa2   Request the Chief Technology Officer enhance the identification and authorization\n       component of the RUP to require passwords to contain a mix of lower case and upper\n       case letters, set the password length to 12 characters, and prevent the use of Social\n       Security Numbers as usernames.\n\n                                                                                         Page 12\n\x0c                                   Additional Security Is Needed for\n                                 Access to the Registered User Portal\n\n\n\n   \xe2\x80\xa2   Obtain the required thorough assessment, recommendation, and approval from the\n       Cybersecurity office and approval from the DAA to deviate from the IRS password\n       expiration and history requirements.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with this recommendation. For\n       the first bullet above, the IRS agreed to prevent the use of Social Security Numbers as\n       usernames and to require passwords to contain a mixture of uppercase and lowercase\n       letters. The IRS disagreed with the recommendation to set the password length to\n       12 characters, citing its revised procedures, dated July 31, 2009, to lower the minimum\n       password length to 8 characters for all systems except the Windows operating system.\n       For the second bullet above, the IRS stated that although it took initial action to\n       implement the risk-based decision procedures, it recognizes additional work needs to be\n       conducted. The IRS stated it will work with the MITS organization\xe2\x80\x99s Cybersecurity\n       office to obtain the requisite thorough assessment, recommendation, and approval from\n       the DAA to deviate from the IRS password expiration requirement.\n       The IRS stated it will submit a Unified Work Request to the MITS organization\n       requesting the RUP be brought into compliance with the IRS password composition and\n       history retention requirements. In addition, the IRS will submit a Unified Work Request\n       to prevent Social Security Numbers from being used as usernames. In the interim, the\n       ETARC office will modify an existing Unified Work Request to alert applicants not to\n       use their Social Security Numbers as their usernames.\n       Office of Audit Comment: We confirmed the IRS lowered its password complexity\n       requirements during our audit to require only eight characters for all non-Windows\n       operating systems. Therefore, we concur with the IRS decision to not set the password\n       length to 12 characters.\nRecommendation 6: To prevent hackers from forcing their way into the RUP, the Director,\nETARC, Wage and Investment Division, should request the Chief Technology Officer\nimplement a control to allow users to answer a series of challenge questions to unlock their\naccounts.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and stated a\n       Unified Work Request will be submitted to the MITS organization requesting\n       programming modifications to include a series of challenge questions to allow users to\n       unlock their accounts. The IRS also stated that other resource issues need to be evaluated\n       to address additional costs associated with implementing this corrective action.\n\nAudit Logs for the Registered User Portal Are Not Reviewed\nThe IRS is required to create, protect, retain, and analyze the audit logs of information systems\nthat process taxpayer data to detect unlawful or unauthorized activities. Every interaction with\n\n                                                                                           Page 13\n\x0c                                        Additional Security Is Needed for\n                                      Access to the Registered User Portal\n\n\n\ntaxpayer data through a system or application is an auditable event and should be reviewed.\nAudit logs should be used for periodic reviews and for real-time analysis. We found the RUP\naudit logs created by the web servers located in Chicago, Illinois, and Sterling, Virginia, capture\nmany of the required auditable events and are synchronized to the required IRS authoritative\ntime source. 16 However, the IRS does not review the audit logs.\nThe Cybersecurity office provided three reasons why the RUP audit logs are not reviewed.\n     1) The data captured in the RUP audit logs are too voluminous to analyze. The\n        Cybersecurity office informed us it has attempted numerous techniques to reduce the\n        amount of data captured in the logs. However, its attempts to make the audit logs useful\n        were not successful.\n     2) The Cybersecurity office does not have a process in place to review the activities of\n        external users of systems such as the RUP.\n     3) The IRS has not allocated sufficient resources to the Security Audit and Analysis\n        System 17 to review all audit logs from every computer system. Therefore, the IRS\n        prioritizes the systems for which it will analyze audit logs, and the RUP audit logs are not\n        ranked high enough on the priority list.\nProper review of audit logs ensures that activities performed on a system can be traced back to\nan individual. In addition, inadequate accountability controls could prevent the IRS from\nidentifying and investigating security incidents, policy violations, fraudulent activity, and\noperational problems. We believe that the lack of RUP audit log reviews increases the likelihood\nthat questionable activities could go unnoticed and intruders could gain access to sensitive\ntaxpayer data without being detected.\n\n\n\n\n16\n   The IRS requires all servers and audit logs be synchronized to the Greenwich Mean Time, which refers to a\nhigh-precision atomic standard to set time.\n17\n   The Security Audit and Analysis System implements a data warehousing solution to provide online analytical\nprocessing of audit log data. The System enables the IRS to detect potential unauthorized accesses to IRS systems.\nIt provides analysis and reporting capabilities for all modernized systems and for some current processing\nenvironment applications.\n\n\n\n\n                                                                                                          Page 14\n\x0c                                  Additional Security Is Needed for\n                                Access to the Registered User Portal\n\n\n\nRecommendation\nRecommendation 7: To detect unlawful or unauthorized activities on the RUP, the IRS Chief\nTechnology Officer should instruct the Cybersecurity office to develop a process to analyze the\nactivities of RUP users and begin reviewing the audit logs.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated that the RUP audit logs are currently being reviewed to detect unlawful or\n       unauthorized activities. The IRS is currently using RealSecure to generate events in the\n       audit logs. The employees are also required to document the date of their reviews.\n\n\n\n\n                                                                                         Page 15\n\x0c                                           Additional Security Is Needed for\n                                         Access to the Registered User Portal\n\n\n\n                                                                                        Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS established effective\naccess and audit trail controls for the RUP, which allows access to the IRS\xe2\x80\x99 e-Services 1 suite of\napplications, to protect taxpayer data from unauthorized disclosure. To accomplish our\nobjective, we:\nI.         Determined whether authentication controls were operating effectively to limit access to\n           authorized users.\n           A. Interviewed the Electronic Tax Administration office to determine whether an\n              e-Authentication risk assessment was completed.\n           B. Determined whether users have been properly registered and authorized.\n           C. Determined whether generic, default, or duplicate accounts exist.\n           D. Determined whether group accounts exist that would allow users to perform activities\n              on the system without being identified.\n           E. Determined whether temporary or emergency accounts exist.\n           F. Determined whether inactive accounts exist.\n           G. Determined whether user permissions have been restricted based on the principle of\n              least privilege, which limits users\xe2\x80\x99 abilities on the system to only those necessary to\n              complete their assigned tasks.\n\n                Sampling Methodology\n                The IRS was unable to query the SiteMinder component of the Enterprise Directory\n                and Authentication Services system to determine the total population of RUP users\n                who have access to the e-Services incentive products. Therefore, we worked with the\n                system administrators in the IRS MITS organization\xe2\x80\x99s Cybersecurity office to select a\n                random sample and accomplish this audit test. We selected 111 authorized users with\n                access to the 3 e-Services incentive products (Disclosure Authorization, Electronic\n                Account Resolution, and Transcript Delivery System). The users are segmented on\n                the SiteMinder according to the first letter or digit of their username. There are a\n                total of 36 segments on the system \xe2\x80\x93 26 alphabets (A-Z), and 10 numbers (0-9). We\n\n\n1\n    See Appendix IV for a list of e-Services products.\n                                                                                               Page 16\n\x0c                                  Additional Security Is Needed for\n                                Access to the Registered User Portal\n\n\n\n           selected three users in each alphabet and number, except digits 0 and 8. We selected\n           5 users for the number 0, and 4 users for the number 8. To verify the validity and\n           reliability of the data in the SiteMinder, we compared the total number of RUP users\n           on SiteMinder to the total number of RUP users on the IRS Third Party Data Store,\n           which is a separate system used to record and monitor information about individuals\n           who have applied to participate in the e-file program. Total number of users on the\n           Third Party Data Store was commensurate with the total users on the SiteMinder.\n       H. Determined whether password control for user accounts meets IRS guidelines.\n       I. Interviewed system administrators to determine whether the system automatically\n          locks out a user after three unsuccessful logon attempts.\n       J. Determined whether the appropriate warning banner is displayed to warn all persons\n          attempting to gain access to the system that the system and its information are for\n          authorized users only and that attempts to illegally log on to the system could lead to\n          criminal prosecution.\nII.    Determined whether the IRS properly captured, stored, analyzed, and retained audit trails.\n       A. Obtained and reviewed the System Security Plan.\n       B. Determined whether audit trails were properly captured.\n       C. Determined whether audit trails were properly stored.\n       D. Determined whether audit trails were properly retained.\n       E. Determined whether audit trails were properly analyzed to detect unauthorized\n          activities.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the Wage and Investment Division\xe2\x80\x99s\npolicies and procedures for processing e-file applications and administering RUP users\xe2\x80\x99 access\naccounts, and the MITS organization\xe2\x80\x99s processes for capturing and analyzing audit trails. We\nevaluated these controls by interviewing management, reviewing case files, and analyzing RUP\nusers\xe2\x80\x99 accounts.\n\n\n\n\n                                                                                          Page 17\n\x0c                                 Additional Security Is Needed for\n                               Access to the Registered User Portal\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nAllen Gray, Audit Manager\nJohn Brown, Senior Auditor\nCharles Ekunwe, Senior Auditor\nCari Fogle, Senior Auditor\nMichelle Griffin, Senior Auditor\n\n\n\n\n                                                                                     Page 18\n\x0c                                 Additional Security Is Needed for\n                               Access to the Registered User Portal\n\n\n\n                                                                             Appendix III\n\n                          Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nDirector, Electronic Tax Administration and Refundable Credits, Wage and Investment Division\nSE:W:ETARC\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Wage and Investment Division SE:W\n       Director, Program Oversight OS:CIO:SM:PO\n\n\n\n\n                                                                                     Page 19\n\x0c                                             Additional Security Is Needed for\n                                           Access to the Registered User Portal\n\n\n\n                                                                                        Appendix IV\n\n                          List of Internal Revenue Service\n                                 E-Services Products\n\nThis appendix presents the different applications within the IRS\xe2\x80\x99 e-Service suite of products 1 that\ncan be accessed through the RUP.\n       1. Disclosure Authorization: The Disclosure Authorization application provides the\n          ability for the registered user to edit, sign, and transmit a disclosure authorization\n          transaction.\n       2. Electronic Account Resolution: Electronic Account Resolution allows tax professionals\n          to expedite closure on a client\xe2\x80\x99s account problems by electronically sending and receiving\n          account-related inquiries. Tax professionals may inquire about individual or business\n          account problems, refunds, and missing payments. Tax professionals must have a Power\n          of Attorney document on file at the IRS before accessing a client\xe2\x80\x99s account.\n       3. Transcript Delivery System: Transcript Delivery System provides self-service for\n          return and account information requests by external tax professionals through the RUP.\n          Transcript Delivery System transactions include self-service electronic communication,\n          where the user can request and receive a transcript of a taxpayer\xe2\x80\x99s personal tax data\n          interactively through the RUP.\n       4. Registration Services: Before using other e-Services products, tax professionals must\n          register online on the Registration Services to create an electronic account. The\n          registration process is a one-time process for tax professionals to select a username,\n          password, and personal identification number. An on-screen acknowledgment\n          immediately confirms the registration process. For security purposes, a confirmation\n          code is mailed to the tax professional to complete the registration process.\n       5. E-File Application: IRS E-File Application provides the online interface component\n          through which an organization may apply for participation in the IRS e-file program.\n          Functionality includes the ability to initially apply and/or revise an existing application\n          for processing by the IRS.\n       6. Preparer Tax Identification Number Application: The Preparer Tax Identification\n          Number Application lets paid preparers apply for and receive a personal identification\n          number immediately over the Internet.\n\n\n1\n    The first three e-Services products listed are referred to as incentive products.\n                                                                                               Page 20\n\x0c                             Additional Security Is Needed for\n                           Access to the Registered User Portal\n\n\n\n7. Interactive Taxpayer Identification Number (TIN) Matching: Interactive TIN\n   Matching is a prefiling service offered to banks or others that pay income subject to\n   backup withholding. Authorized payers can match up to 25 TIN and name combinations\n   against IRS records before submitting an information return. This prefiling check\n   prevents mismatches and possible penalties for the payer.\n8. Bulk TIN Matching: Similar to Interactive TIN Matching, the Bulk TIN Matching\n   allows authorized users to match up to 100,000 TIN and name combinations with IRS\n   records prior to submission.\n\n\n\n\n                                                                                 Page 21\n\x0c\x0c  Additional Security Is Needed for\nAccess to the Registered User Portal\n\n\n\n\n                                       Page 23\n\x0c  Additional Security Is Needed for\nAccess to the Registered User Portal\n\n\n\n\n                                       Page 24\n\x0c  Additional Security Is Needed for\nAccess to the Registered User Portal\n\n\n\n\n                                       Page 25\n\x0c  Additional Security Is Needed for\nAccess to the Registered User Portal\n\n\n\n\n                                       Page 26\n\x0c  Additional Security Is Needed for\nAccess to the Registered User Portal\n\n\n\n\n                                       Page 27\n\x0c  Additional Security Is Needed for\nAccess to the Registered User Portal\n\n\n\n\n                                       Page 28\n\x0c'